-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Weston Steimel <[email protected]>
- Loading branch information
1 parent
5760cfc
commit 0786548
Showing
30 changed files
with
819 additions
and
15 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,43 @@ | ||
| { | ||
| "additionalMetadata": { | ||
| "cna": "patchstack", | ||
| "cveId": "CVE-2023-47873", | ||
| "description": "Unrestricted Upload of File with Dangerous Type vulnerability in WEN Solutions WP Child Theme Generator.This issue affects WP Child Theme Generator: from n/a through 1.0.9.", | ||
| "reason": "Added CPE configurations because not yet analyzed by NVD.", | ||
| "references": [ | ||
| "https://patchstack.com/database/vulnerability/wp-child-theme-generator/wordpress-wp-child-theme-generator-plugin-1-0-8-arbitrary-file-upload-vulnerability?_s_id=cve" | ||
| ] | ||
| }, | ||
| "adp": { | ||
| "affected": [ | ||
| { | ||
| "collectionURL": "https://wordpress.org/plugins", | ||
| "cpes": [ | ||
| "cpe:2.3:a:wensolutions:wp_child_theme_generator:*:*:*:*:*:wordpress:*:*" | ||
| ], | ||
| "packageName": "wp-child-theme-generator", | ||
| "packageType": "wordpress-plugin", | ||
| "product": "WP Child Theme Generator", | ||
| "repo": "https://plugins.svn.wordpress.org/wp-child-theme-generator", | ||
| "vendor": "WEN Solutions", | ||
| "versions": [ | ||
| { | ||
| "lessThanOrEqual": "1.0.9", | ||
| "status": "affected", | ||
| "version": "0", | ||
| "versionType": "custom" | ||
| } | ||
| ] | ||
| } | ||
| ], | ||
| "providerMetadata": { | ||
| "orgId": "00000000-0000-4000-8000-000000000000", | ||
| "shortName": "anchoreadp" | ||
| }, | ||
| "references": [ | ||
| { | ||
| "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/49fcd2cb-d880-4152-a736-33fd90f07083?source=cve" | ||
| } | ||
| ] | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,44 @@ | ||
| { | ||
| "additionalMetadata": { | ||
| "cna": "apache", | ||
| "cveId": "CVE-2023-52291", | ||
| "description": "In streampark, the project module integrates Maven's compilation capabilities. The input parameter validation is not strict, allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability is very low.\n\nBackground:\n\nIn the \"Project\" module, the maven build args “<” operator causes command injection. e.g : “< (curl http://xxx.com )” will be executed as a command injection,\n\nMitigation:\n\nall users should upgrade to 2.1.4, The \"<\" operator will blocked。", | ||
| "reason": "Added CPE configurations because not yet analyzed by NVD.", | ||
| "references": [ | ||
| "http://www.openwall.com/lists/oss-security/2024/07/17/1", | ||
| "https://lists.apache.org/thread/pl6xgzoqrl4kcn0nt55zjbsx8dn80mkf" | ||
| ] | ||
| }, | ||
| "adp": { | ||
| "affected": [ | ||
| { | ||
| "collectionURL": "https://repo.maven.apache.org/maven2", | ||
| "cpes": [ | ||
| "cpe:2.3:a:org.apache.streampark:streampark-console-service:*:*:*:*:*:maven:*:*" | ||
| ], | ||
| "packageName": "org.apache.streampark:streampark-console-service", | ||
| "packageType": "maven", | ||
| "product": "Apache StreamPark (incubating)", | ||
| "repo": "https://github.com/apache/incubator-streampark", | ||
| "vendor": "Apache Software Foundation", | ||
| "versions": [ | ||
| { | ||
| "lessThan": "2.1.4", | ||
| "status": "affected", | ||
| "version": "2.0.0", | ||
| "versionType": "semver" | ||
| } | ||
| ] | ||
| } | ||
| ], | ||
| "providerMetadata": { | ||
| "orgId": "00000000-0000-4000-8000-000000000000", | ||
| "shortName": "anchoreadp" | ||
| }, | ||
| "references": [ | ||
| { | ||
| "url": "https://github.com/apache/incubator-streampark/pull/3661" | ||
| } | ||
| ] | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,43 @@ | ||
| { | ||
| "additionalMetadata": { | ||
| "cna": "eclipse", | ||
| "cveId": "CVE-2023-7272", | ||
| "description": "In Eclipse Parsson before 1.0.4 and 1.1.3, a document with a large depth of nested objects can allow an attacker to cause a Java stack overflow exception and denial of service. Eclipse Parsson allows processing (e.g. parse, generate, transform and query) JSON documents.", | ||
| "reason": "Added CPE configurations because not yet analyzed by NVD.", | ||
| "references": [ | ||
| "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/12" | ||
| ] | ||
| }, | ||
| "adp": { | ||
| "affected": [ | ||
| { | ||
| "collectionURL": "https://repo.maven.apache.org/maven2", | ||
| "cpes": [ | ||
| "cpe:2.3:a:org.eclipse.parsson:parsson:*:*:*:*:*:maven:*:*" | ||
| ], | ||
| "packageName": "org.eclipse.parsson:parsson", | ||
| "packageType": "maven", | ||
| "product": "Parsson", | ||
| "vendor": "Eclipse Foundation", | ||
| "versions": [ | ||
| { | ||
| "lessThan": "1.0.4", | ||
| "status": "affected", | ||
| "version": "0", | ||
| "versionType": "semver" | ||
| }, | ||
| { | ||
| "lessThan": "1.1.3", | ||
| "status": "affected", | ||
| "version": "1.1.0", | ||
| "versionType": "semver" | ||
| } | ||
| ] | ||
| } | ||
| ], | ||
| "providerMetadata": { | ||
| "orgId": "00000000-0000-4000-8000-000000000000", | ||
| "shortName": "anchoreadp" | ||
| } | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -104,7 +104,6 @@ | |
| } | ||
| ] | ||
| }, | ||
|
|
||
| { | ||
| "cpes": [ | ||
| "cpe:2.3:a:oracle:openjdk:*:*:*:*:*:*:*:*" | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -104,7 +104,6 @@ | |
| } | ||
| ] | ||
| }, | ||
|
|
||
| { | ||
| "cpes": [ | ||
| "cpe:2.3:a:oracle:openjdk:*:*:*:*:*:*:*:*" | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -59,7 +59,6 @@ | |
| } | ||
| ] | ||
| }, | ||
|
|
||
| { | ||
| "cpes": [ | ||
| "cpe:2.3:a:oracle:openjdk:*:*:*:*:*:*:*:*" | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -104,7 +104,6 @@ | |
| } | ||
| ] | ||
| }, | ||
|
|
||
| { | ||
| "cpes": [ | ||
| "cpe:2.3:a:oracle:openjdk:*:*:*:*:*:*:*:*" | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,44 @@ | ||
| { | ||
| "additionalMetadata": { | ||
| "cna": "apache", | ||
| "cveId": "CVE-2024-29737", | ||
| "description": "In streampark, the project module integrates Maven's compilation capabilities. The input parameter validation is not strict, allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability is very low.\n\nMitigation:\n\nall users should upgrade to 2.1.4\n\nBackground info:\n\nLog in to Streampark using the default username (e.g. test1, test2, test3) and the default password (streampark). Navigate to the Project module, then add a new project. Enter the git repository address of the project and input `touch /tmp/success_2.1.2` as the \"Build Argument\". Note that there is no verification and interception of the special character \"`\". As a result, you will find that this injection command will be successfully executed after executing the build.\n\nIn the latest version, the special symbol ` is intercepted.", | ||
| "reason": "Added CPE configurations because not yet analyzed by NVD.", | ||
| "references": [ | ||
| "http://www.openwall.com/lists/oss-security/2024/07/17/2", | ||
| "https://lists.apache.org/thread/xhx7jt1t24s6d7o435wxng8t0ojfbfh5" | ||
| ] | ||
| }, | ||
| "adp": { | ||
| "affected": [ | ||
| { | ||
| "collectionURL": "https://repo.maven.apache.org/maven2", | ||
| "cpes": [ | ||
| "cpe:2.3:a:org.apache.streampark:streampark-console-service:*:*:*:*:*:maven:*:*" | ||
| ], | ||
| "packageName": "org.apache.streampark:streampark-console-service", | ||
| "packageType": "maven", | ||
| "product": "Apache StreamPark (incubating)", | ||
| "repo": "https://github.com/apache/incubator-streampark", | ||
| "vendor": "Apache Software Foundation", | ||
| "versions": [ | ||
| { | ||
| "lessThan": "2.1.4", | ||
| "status": "affected", | ||
| "version": "2.0.0", | ||
| "versionType": "semver" | ||
| } | ||
| ] | ||
| } | ||
| ], | ||
| "providerMetadata": { | ||
| "orgId": "00000000-0000-4000-8000-000000000000", | ||
| "shortName": "anchoreadp" | ||
| }, | ||
| "references": [ | ||
| { | ||
| "url": "https://github.com/apache/incubator-streampark/pull/3661" | ||
| } | ||
| ] | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,39 @@ | ||
| { | ||
| "additionalMetadata": { | ||
| "cna": "apache", | ||
| "cveId": "CVE-2024-30471", | ||
| "description": "Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache StreamPipes in user self-registration.\nThis allows an attacker to potentially request the creation of multiple accounts with the same email address until the email address is registered, creating many identical users and corrupting StreamPipe's user management.\nThis issue affects Apache StreamPipes: through 0.93.0.\n\nUsers are recommended to upgrade to version 0.95.0, which fixes the issue.", | ||
| "needsReview": true, | ||
| "reason": "Added CPE configurations because not yet analyzed by NVD.", | ||
| "references": [ | ||
| "https://lists.apache.org/thread/8yodrmohgcybq900or3d4hc1msl230fr" | ||
| ], | ||
| "todos": [ | ||
| "Check for precise affected package" | ||
| ] | ||
| }, | ||
| "adp": { | ||
| "affected": [ | ||
| { | ||
| "cpes": [ | ||
| "cpe:2.3:a:apache:streampipes:*:*:*:*:*:*:*:*" | ||
| ], | ||
| "product": "Apache StreamPipes", | ||
| "repo": "https://github.com/apache/streampipes", | ||
| "vendor": "Apache Software Foundation", | ||
| "versions": [ | ||
| { | ||
| "lessThan": "0.95.0", | ||
| "status": "affected", | ||
| "version": "0", | ||
| "versionType": "maven" | ||
| } | ||
| ] | ||
| } | ||
| ], | ||
| "providerMetadata": { | ||
| "orgId": "00000000-0000-4000-8000-000000000000", | ||
| "shortName": "anchoreadp" | ||
| } | ||
| } | ||
| } |
Oops, something went wrong.